zhipu-image

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is mostly purpose-aligned, but it needs Review because it reads and saves browser login cookies and includes broad browser traffic monitoring helpers.

Install only if you are comfortable giving the skill access to a logged-in Chrome DevTools session and letting it save Zhipu-related cookies locally. Use an isolated browser profile if possible, avoid running the network monitor during unrelated browsing, and delete ~/.zhipu_image_session.json when finished. The evidence supports Review rather than malicious because the behavior is mostly disclosed and aimed at image generation, with no artifact-backed exfiltration or destructive action found.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and documents capabilities to inspect login state, open a browser, capture cookies/session state, and call remote web endpoints, but the manifest does not declare corresponding permissions. Hidden or undeclared access to environment/network-sensitive capabilities weakens user consent and review, and can enable unexpected session or data exposure during execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is image generation via existing web login, but the skill also includes a network-monitoring component that attaches to a browser debugging port and inspects request/response traffic. That materially expands the skill from simple automation into traffic interception and reverse-engineering behavior, which can expose tokens, cookies, prompts, and other sensitive request data beyond user expectations.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This script connects to a browser over CDP and passively captures requests across the browsing session, not just the minimum calls needed for image generation. Because the URL filter is broad ('api', 'z.ai', or 'generation') and the tool prints matching requests and bodies to stdout, it can expose unrelated authenticated traffic and sensitive metadata beyond the skill's stated purpose.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The comments claim the tool analyzes Zhipu AI API traffic, but the implemented matching logic also captures any URL containing generic substrings such as 'api' or 'generation'. This mismatch increases the chance of overcollection from unrelated sites or services and undermines user expectations about the scope of monitoring.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description says it will "抓取浏览器 Cookie" and use web login state, but it does not present a prominent user warning about collecting browser cookies/session data or the security implications. Browser session artifacts are highly sensitive authentication material; capturing them can enable account takeover or cross-service abuse if mishandled, logged, or reused.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill automatically downloads generated images into a local captures directory, but the warning is not surfaced clearly in the top-level description as a storage side effect. This is less severe than credential capture, but unexpected file writes can still create privacy, disk-usage, or workspace hygiene issues, especially in shared or automated environments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The monitor logs POST bodies directly to the console, which can reveal prompts, tokens, session-bound identifiers, personal data, or other secrets submitted by the browser. In a skill already intended to inspect login state and browser cookies, this significantly increases sensitivity because captured data may be sufficient for account misuse or privacy compromise.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script persists authenticated session material to a predictable file in the user's profile directory with no encryption, permission hardening, or consent prompt. Those cookies can be reused to impersonate the user against image.z.ai, so any local compromise, other skill, or curious user/process with filesystem access could steal the session.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This code connects to Chrome DevTools on a fixed port and extracts browser cookies for multiple domains, then repurposes them for API calls. Harvesting browser cookies is highly sensitive because it bypasses normal application auth boundaries and enables session hijacking if the captured values are misused, logged, or exfiltrated.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal